From: Michael E. <men...@ka...> - 2002-12-18 16:18:17
|
hi all - I'm about to put a Webware 0.7 site into production and have been going through my system for possible security holes (Unix). Is there anything in particular I should keep in mind as far as Webware for security? I read the Wiki on Security but it's mostly stuff I already know about in regards to general security and sesssion id security, etc. Are there any inherent risks in running .py files (generated by Cheetah) in my webware application directory? If I remove all the extraneous application contexts (including Admin) is the only directory that will serve files the context that I setup for my application? Thanks for any suggestions to cure my paranoia :-) Mike |
From: Jacob M. <jma...@in...> - 2004-04-16 16:18:58
|
i just read through the security section of the wiki. a few quick questions... - have there been any security related problems with the webware server itself in the past? - is it safe to assume that webware is largely invulnerable to buffer overrun exploits, similar to java, because memory allocation is handled automatically, or are there parts of webware written in C that could be problematic? i'm using webkit + mod_webkit in apache2. - other than logic errors in the code of a deployed app, is there anything in particular to look out for like register_globals in PHP? thanks! -jacob |
From: Jacob M. <jma...@in...> - 2004-04-16 16:30:43
|
I guess what I'm curious overall is where does Webware fit into the spectrum of Tomcat/JBoss on the "secure" side, IIS on the "weak" side and PHP somewhere in the middle? Thanks! -Jacob On Fri, 2004-04-16 at 11:37, Jacob Martinson wrote: > i just read through the security section of the wiki. > > a few quick questions... > > - have there been any security related problems with the webware server > itself in the past? > > - is it safe to assume that webware is largely invulnerable to buffer > overrun exploits, similar to java, because memory allocation is handled > automatically, or are there parts of webware written in C that could be > problematic? i'm using webkit + mod_webkit in apache2. > > - other than logic errors in the code of a deployed app, is there > anything in particular to look out for like register_globals in PHP? > > thanks! > > -jacob > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > _______________________________________________ > Webware-discuss mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/webware-discuss |
From: Ian B. <ia...@co...> - 2004-04-16 16:50:40
|
Jacob Martinson wrote: > i just read through the security section of the wiki. > > a few quick questions... > > - have there been any security related problems with the webware server > itself in the past? The only one I can remember is when we were using SmartCookie (from the Python Cookie standard library), which is considered insecure. > - is it safe to assume that webware is largely invulnerable to buffer > overrun exploits, similar to java, because memory allocation is handled > automatically, or are there parts of webware written in C that could be > problematic? i'm using webkit + mod_webkit in apache2. mod_webkit is written in C, and could potentially have a buffer overrun in it, though I'm pretty sure it's okay (it's very small). Maybe the marshalling process in the adapter interface could cause a problem; I assume marshal is written in C. However, I think it's probably pretty secure. No other part of Webware should have a problem. > - other than logic errors in the code of a deployed app, is there > anything in particular to look out for like register_globals in PHP? Just the normal quoting issues, SQL injection, Javascript cross-site-scripting attacks, etc. Python doesn't have tainted strings, so you don't get that particular check as you would in Perl. But really it's the same things you have to think about anywhere, and Python has good ways to deal with these (e.g., use parameters instead of string substitution in your SQL). Ian |
From: Ian B. <ia...@co...> - 2002-12-18 18:49:19
|
You may want to remove extraneous contexts -- they aren't generally necessary anyway. Of course, there are a whole set of general scripting security issues -- mostly boiling down to not implicitly trusting any input you receive. You may way to consider the user you run the AppServer as, and the permissions you want to use. If you use MakeAppWorkDir, the entire Webware directory can be set not to be writable. On Wed, 2002-12-18 at 10:17, Michael Engelhart wrote: > hi all - > > I'm about to put a Webware 0.7 site into production and have been going > through my system for possible security holes (Unix). > > Is there anything in particular I should keep in mind as far as > Webware for security? I read the Wiki on Security but it's mostly > stuff I already know about in regards to general security and sesssion > id security, etc. Are there any inherent risks in running .py files > (generated by Cheetah) in my webware application directory? > > If I remove all the extraneous application contexts (including Admin) > is the only directory that will serve files the context that I setup > for my application? > > Thanks for any suggestions to cure my paranoia :-) > > Mike > > > > ------------------------------------------------------- > This SF.NET email is sponsored by: Order your Holiday Geek Presents Now! > Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap, > MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty. > T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ > _______________________________________________ > Webware-discuss mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/webware-discuss -- Ian Bicking <ia...@co...> |